View the source code for this module on GitHub: https://github.com/mcp-use/mcp-use/blob/main/libraries/typescript/packages/mcp-use/src/server/oauth/index.ts
oauth value you pass to new MCPServer({ ... }). Each one returns an OAuthProvider (or OAuthProxy) that the server uses to verify bearer tokens, proxy .well-known metadata discovery, and extract user info onto ctx.auth.
There are two integration modes:
- DCR-direct providers (
oauthAuth0Provider,oauthBetterAuthProvider,oauthClerkProvider,oauthKeycloakProvider,oauthSupabaseProvider,oauthWorkOSProvider,oauthCustomProvider). The MCP server proxies metadata discovery to the upstream authorization server and verifies tokens. Clients communicate directly with the upstream for authorize, token, and register. - Proxy mode (
oauthProxy) for providers without Dynamic Client Registration support (Google, GitHub, Okta, Microsoft Entra ID, and enterprise IdPs). The server mediates the flow: it exposes a/registerendpoint returning the configuredclientId, injectsclientId/clientSecretat token exchange, and passes upstream tokens through without minting its own.
mcp-use/server.
Functions
oauthAuth0Provider
Create an Auth0 OAuth provider for an MCP server.OAuthProvider backed by Auth0. Supports zero-config setup: when config is omitted, domain falls back to MCP_USE_OAUTH_AUTH0_DOMAIN and audience falls back to MCP_USE_OAUTH_AUTH0_AUDIENCE. Throws Error if domain is missing ("Auth0 domain is required.") and throws Error if audience is missing ("Auth0 audience is required."). The config argument is Partial<Auth0ProviderConfig> and defaults to an empty object.
Parameters
ReturnsOptional Auth0 configuration. Values passed here override the corresponding environment variables.
Signature
oauthBetterAuthProvider
Create a Better Auth OAuth provider for an MCP server.OAuthProvider backed by Better Auth’s OAuth Provider plugin. The MCP server only verifies tokens and serves metadata; clients discover Better Auth’s endpoints via .well-known passthrough (/oauth2/authorize, /oauth2/token, /oauth2/register, /jwks) and talk to Better Auth directly. authURL falls back to MCP_USE_OAUTH_BETTER_AUTH_URL. Throws Error if authURL is missing ("Better Auth authURL is required."). The config argument is Partial<BetterAuthProviderConfig> and defaults to an empty object.
Parameters
ReturnsOptional Better Auth configuration. Values passed here override the corresponding environment variables.
Signature
oauthClerkProvider
Create a Clerk OAuth provider for an MCP server.OAuthProvider backed by Clerk. Uses Dynamic Client Registration: clients register themselves with Clerk (enable DCR in the Clerk Dashboard under Configure, OAuth Applications, Dynamic Client Registration), and the MCP server only verifies Clerk-issued tokens. frontendApiUrl falls back to MCP_USE_OAUTH_CLERK_FRONTEND_API_URL. Throws Error if frontendApiUrl is missing ("Clerk frontendApiUrl is required."). The config argument is Partial<ClerkProviderConfig> and defaults to an empty object.
Parameters
ReturnsOptional Clerk configuration. Values passed here override the corresponding environment variables.
Signature
oauthKeycloakProvider
Create a Keycloak OAuth provider for an MCP server.OAuthProvider backed by Keycloak using its native Dynamic Client Registration (RFC 7591). serverUrl falls back to MCP_USE_OAUTH_KEYCLOAK_SERVER_URL, realm falls back to MCP_USE_OAUTH_KEYCLOAK_REALM, and audience falls back to MCP_USE_OAUTH_KEYCLOAK_AUDIENCE. Throws Error if serverUrl is missing ("Keycloak serverUrl is required.") and throws Error if realm is missing ("Keycloak realm is required."). The config argument is Partial<KeycloakProviderConfig> and defaults to an empty object.
Parameters
ReturnsOptional Keycloak configuration. Values passed here override the corresponding environment variables.
Signature
oauthSupabaseProvider
Create a Supabase OAuth provider for an MCP server.OAuthProvider backed by Supabase’s OAuth 2.1 server. Supports zero-config setup: projectId falls back to MCP_USE_OAUTH_SUPABASE_PROJECT_ID, supabaseUrl falls back to MCP_USE_OAUTH_SUPABASE_URL, and jwtSecret falls back to MCP_USE_OAUTH_SUPABASE_JWT_SECRET. The hosted URL is derived as https://${projectId}.supabase.co unless supabaseUrl is set (use supabaseUrl for local or self-hosted instances, e.g. http://localhost:54321). Throws Error if neither projectId nor supabaseUrl is resolved ("Supabase projectId or supabaseUrl is required."). The config argument is Partial<SupabaseProviderConfig> and defaults to an empty object.
Parameters
ReturnsOptional Supabase configuration. Values passed here override the corresponding environment variables.
Signature
oauthWorkOSProvider
Create a WorkOS AuthKit OAuth provider for an MCP server.OAuthProvider backed by WorkOS AuthKit using Dynamic Client Registration. Clients register themselves with WorkOS (enable DCR in the WorkOS Dashboard under Connect, Configuration), and the MCP server only verifies WorkOS-issued tokens. subdomain falls back to MCP_USE_OAUTH_WORKOS_SUBDOMAIN. Throws Error if subdomain is missing ("WorkOS subdomain is required."). The config argument is Partial<WorkOSProviderConfig> and defaults to an empty object.
Parameters
ReturnsOptional WorkOS configuration. Values passed here override the corresponding environment variables.
Signature
oauthCustomProvider
Create an OAuth provider for any standards-compliant authorization server.OAuthProvider from explicit endpoint URLs and a custom verifyToken function. Unlike the other factories, config is required (there are no environment-variable fallbacks). Use this for any OAuth provider that exposes standard .well-known discovery and an authorization plus token endpoint, where you supply your own token verification logic.
Parameters
ReturnsCustom provider configuration with explicit endpoints and averifyTokenfunction.
Signature
oauthProxy
Create an OAuth proxy for providers without Dynamic Client Registration.OAuthProxy for providers that lack DCR support (Google OAuth, GitHub OAuth, Okta, Microsoft Entra ID, and enterprise IdPs). The proxy exposes a /register endpoint that returns the configured clientId, injects clientId/clientSecret at token exchange, verifies tokens via the supplied verifyToken function, and passes upstream tokens through without minting its own. scopes defaults to ["openid", "email", "profile"] and grantTypes defaults to ["authorization_code", "refresh_token"]. When getUserInfo is omitted, a default extractor reads the standard OIDC claims (sub, email, name, picture) and splits the scope claim into scopes.
Throws Error if any of authEndpoint, tokenEndpoint, issuer, clientId, or verifyToken is missing. The verifyToken error message points you to jwksVerifier() for JWT/JWKS providers.
Pair oauthProxy with jwksVerifier() (exported from mcp-use/server) to verify JWTs against a remote JWKS. jwksVerifier enforces the iss claim, optionally enforces aud, and throws early with a helpful message if the token is not a three-segment signed JWT (for example, when an authorize request omitted a valid audience and the provider issued an opaque token).
Parameters
ReturnsOAuth proxy configuration including upstream endpoints, client credentials, and averifyTokenfunction.
Signature
mountOAuthProxy
Mount CORS-free OAuth proxy routes on a Hono app.oauthProxy (which configures the MCP server’s own auth). It registers two routes under basePath (default /oauth): GET <basePath>/metadata proxies .well-known metadata discovery (with WWW-Authenticate header discovery and standard-path fallbacks), and POST <basePath>/proxy forwards general OAuth requests such as token exchange and registration. The routes enable permissive CORS (origin: "*", methods GET, POST, OPTIONS). Returns void. The options argument defaults to an empty object.
Parameters
ReturnsThe Hono application instance to register routes on.Configuration options for the proxy routes.
Signature
Types
Auth0ProviderConfig
Configuration foroauthAuth0Provider.
oauthAuth0Provider accepts Partial<Auth0ProviderConfig> and fills any missing domain/audience from environment variables.
Properties
SignatureAuth0 tenant domain, e.g.my-tenant.auth0.com.API identifier used as the JWTaudclaim.Whether to verify the JWT signature.Scopes advertised in metadata.
BetterAuthProviderConfig
Configuration foroauthBetterAuthProvider.
authURL falls back to MCP_USE_OAUTH_BETTER_AUTH_URL. The optional getUserInfo callback maps the verified JWT payload to a UserInfo object (sync or async). Note the getUserInfo parameter is typed Record<string, unknown>, which contains a curly brace; see the signature fence below.
Properties
SignatureBase URL of the Better Auth OAuth server, e.g.http://localhost:3000/api/auth.Whether to verify the JWT signature.Scopes advertised in metadata.Optional callback mapping a verified payload to user info.
ClerkProviderConfig
Configuration foroauthClerkProvider.
frontendApiUrl falls back to MCP_USE_OAUTH_CLERK_FRONTEND_API_URL.
Properties
SignatureClerk Frontend API URL, e.g.https://verb-noun-42.clerk.accounts.devorhttps://clerk.yourdomain.com.Optional audience for JWT verification.Whether to verify the JWT signature.Scopes advertised in metadata.
KeycloakProviderConfig
Configuration foroauthKeycloakProvider.
serverUrl falls back to MCP_USE_OAUTH_KEYCLOAK_SERVER_URL, realm to MCP_USE_OAUTH_KEYCLOAK_REALM, and audience to MCP_USE_OAUTH_KEYCLOAK_AUDIENCE.
Properties
SignatureKeycloak base URL, e.g.https://keycloak.example.com.Keycloak realm name.MCP server URL used to validate the JWTaudclaim (set via a Keycloak audience mapper on client scopes).Whether to verify the JWT signature.Scopes advertised in metadata.
SupabaseProviderConfig
Configuration foroauthSupabaseProvider.
projectId or supabaseUrl must resolve (from config or environment). projectId derives the hosted URL https://${projectId}.supabase.co; supabaseUrl overrides it for self-hosted or local instances.
Properties
SignatureSupabase project ID used to derive the hosted URL.Explicit Supabase base URL. Overrides the projectId-derived URL, e.g.http://localhost:54321.Optional JWT secret for legacy HS256 token verification.Whether to verify the JWT signature.Scopes advertised in metadata.
WorkOSProviderConfig
Configuration foroauthWorkOSProvider.
subdomain falls back to MCP_USE_OAUTH_WORKOS_SUBDOMAIN.
Properties
SignatureWorkOS AuthKit subdomain, e.g.my-company.authkit.app.Whether to verify the JWT signature.Scopes advertised in metadata.
CustomProviderConfig
Configuration foroauthCustomProvider.
issuer, authEndpoint, tokenEndpoint, and verifyToken are required; the rest are optional. verifyToken resolves to an object containing a payload (see the signature fence for the exact type, which contains a curly brace). The optional getUserInfo callback maps a payload to a UserInfo.
Properties
SignatureOAuth issuer URL.Authorization endpoint URL.Token endpoint URL.Function that verifies a bearer token and resolves to its decoded payload.JWKS endpoint URL for signature verification.User info endpoint URL.Scopes advertised in metadata.Audience for JWT verification.Grant types advertised in metadata.Optional callback mapping a verified payload to user info.
OAuthProxy
The proxy-mode provider returned byoauthProxy.
OAuthProvider with proxy-specific fields for providers without DCR support. Implements the full provider interface (the getter methods plus verifyToken/getUserInfo) and adds a type discriminator, pre-registered client credentials, and optional extra authorize params. The proxy exposes a /register endpoint returning the configured clientId, injects clientId/clientSecret at token exchange, and passes upstream JWTs through without minting tokens.
Properties
SignatureDiscriminator used to detect proxy providers in the provider union.Pre-registered OAuth client ID.Pre-registered OAuth client secret (optional for public clients).Extra parameters appended to authorize requests.
OAuthProxyConfig
Configuration foroauthProxy.
authEndpoint, tokenEndpoint, issuer, clientId, and verifyToken are required. scopes defaults to ["openid", "email", "profile"] and grantTypes defaults to ["authorization_code", "refresh_token"] inside oauthProxy. The verifyToken field is a VerifyToken function that resolves to an object with a payload (see the signature fence for the exact type, which contains a curly brace). When getUserInfo is omitted, standard OIDC claims are extracted.
Properties
SignatureUpstream authorization endpoint URL, e.g.https://accounts.google.com/o/oauth2/v2/auth.Upstream token endpoint URL, e.g.https://oauth2.googleapis.com/token.Token issuer, used in metadata and (when paired withjwksVerifier) enforced as theissclaim.Token verification function. UsejwksVerifier()for JWT+JWKS providers, or write your own for opaque tokens.Pre-registered OAuth client ID.Pre-registered OAuth client secret (optional for public clients).OAuth scopes to request.Supported grant types.Extra parameters added to authorize requests, e.g.{ access_type: "offline", prompt: "consent" }.Custom extractor for user info from the verified payload. Defaults to standard OIDC claims.
OAuthProxyOptions
Options formountOAuthProxy.
mountOAuthProxy. All fields are optional. The authenticate and validateTarget callbacks each take a Hono Context and may return a boolean or a promise of one; returning false rejects the request (401 for authenticate, 403 for validateTarget).
Properties
SignatureBase path for the proxy routes.Enable request logging to the console.Optional request authentication. Returnfalseto reject with 401.Optional check that the target URL is allowed. Returnfalseto reject with 403.